FYI - Hacking Damage
Limited, Bank Reports- Commerce Bank says it deflected most of a
hacking attempt on its database, but some customer information was
divulged. A regional bank in the U.S. said it was able to deflect
most of a hacking attempt on its database, but not before some
customer information was divulged.
FYI - Feds pull the
domain name plug on state of California - The federal government
pulled the plug on the Web domain name used by the state of
California on Tuesday, setting into motion a chain of events that
threatened to grind government business to a standstill within the
state. State IT staffers were able to fix the problem within a few
hours, narrowly averting disaster, but the situation shed light on
what observers are calling a shocking weakness in the state's IT
FYI - The National
Institute of Standards and Technology (NIST) has released five new
and revised publications related to information security.
800-44 version 2, "Guidelines on Securing Public Web Servers;" Draft
800-55 Revision 1, "Performance Measurement Guide for Information
Security;" Draft SP 800-61 Revision 1, "Computer Security Incident
Handling Guide;" SP 800-82, "Guide to Industrial Control Systems
Security;" and Draft SP 800-110, Information System Security
FYI - Chinese internet
security response team under attack - A recent post by
the team at the Chinese Internet Security Response Team to their
English-language site indicates that some of the site visitors are
experiencing an attack from the CISRT.org site as a result of an
injected IFRAME tag.
FYI - VistA outage
disrupts Calif. VA hospitals - The Veterans Affairs Department
suffered an outage of its electronic health record system for nine
hours Aug. 31 at 17 medical facilities in northern California, VA
health care officials said.
FYI - Financial
institutions spending on security and governance - Four out of five
firms have adopted a security governance framework - The Deloitte &
Touche annual survey of security practices at 169 financial
institutions found that 98% of them are spending more on information
security this year than last year, and putting a greater emphasis on
FYI - Hacker breaks into
eBay server, locks users out - A malicious hacker broke into an eBay
server late last week and temporarily suspended the accounts of a
"very small" number of members, the company said.
FYI - Tax man praised
for owning up to lost laptop - HM Revenue and Customs (HMRC) has
become the latest organisation to apologise to clients as the result
of a lost laptop. A machine containing personal data was stolen from
the car of an HMRC staff member last month, the UK tax department
confirmed on Monday. The tax worker had been using the laptop for a
routine audit of tax information from several investment firms.
FYI - Privacy breach at
MacEwan - A city college chose not to inform students and others
whose personal credit information was left publicly available
through its Internet site, it has confirmed. MacEwan College was
cited in the auditor general's report this week after a tipster told
the AG's office about the security breach in 2006. It mirrored
access problems in 2002-2003, the AG's report confirmed.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the FDIC's Supervisory Policy on Identity
(Part 1 of 6)
Supervisory Policy on Identity Theft
Identity theft is fraud committed or attempted by using the
identifying information of another person without his or her
authority. Identifying information may include such things as a
Social Security number, account number, date of birth, driver's
license number, passport number, biometric data and other unique
electronic identification numbers or codes. As more financial
transactions are done electronically and remotely, and as more
sensitive information is stored in electronic form, the
opportunities for identity theft have increased significantly.
This policy statement describes the characteristics of identity
theft and emphasizes the FDIC's well-defined expectations that
institutions under its supervision detect, prevent and mitigate the
effects of identity theft in order to protect consumers and help
ensure safe and sound operations.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Symmetric and Asymmetric Key Systems
There are two types of cryptographic key systems, symmetric and
asymmetric. With a symmetric
key system (also known as secret key or private key systems), all
parties have the same key. The
keys can be used to encrypt and decrypt messages, and must be kept
secret or the security is compromised.
For the parties to get the same key, there has to be a way to
securely distribute the key to each party.
While this can be done, the security controls necessary make
this system impractical for widespread and commercial use on an open
network like the Internet. Asymmetric key systems can solve this problem.
In an asymmetric key system (also known as a public key system), two
keys are used. One key is kept secret, and therefore is referred to
as the "private key." The other key is made widely available to
anyone who wants it, and is referred to as the "public key."
private and public keys are mathematically related so that
information encrypted with the private key can only be decrypted by
the corresponding public key. Similarly,
information encrypted with the public key can only be decrypted by
the corresponding private key. The private key, regardless of the
key system utilized, is typically specific to a party or computer
system. Therefore, the sender of a message can be authenticated as
the private key holder by anyone decrypting the message with a
public key. Importantly,
it is mathematically impossible for the holder of any public key to
use it to figure out what the private key is.
The keys can be stored either on a computer or on a
physically separate medium such as a smart card.
Regardless of the key system utilized, physical controls must exist
to protect the confidentiality and access to the key(s).
In addition, the key itself must be strong enough for the
intended application. The appropriate encryption key may vary depending on how
sensitive the transmitted or stored data is, with stronger keys
utilized for highly confidential or sensitive data.
Stronger encryption may also be necessary to protect data
that is in an open environment, such as on a Web server, for long
time periods. Because
the strength of the key is determined by its length, the longer the
key, the harder it is for high-speed computers to break the code.
the top of the newsletter
IT SECURITY QUESTION:
Disaster recovery planning:
a. Is there a written disaster recover plan?
b. Has the disaster recovery plan been tested within the past year?
c. Does the bank have a backup site?
d. Is a current copy the disaster recovery plan kept off-site with
the backup tapes?
e. Do appropriate personnel have a current copy of the disaster
recovery plan at their residence?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution outside of Sections 14 and 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i)
2. If the institution shares information with entities other
than those under step a above, verify that the institution's
information sharing practices conform to those in the nonaffiliated
financial institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out status of
the consumers of the nonaffiliated financial institution (§§10,